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1  Introduction 


In  ordinary  mathematics,  an  equation  can  be  written  down  which  is  syntactically 
correct,  but  for  which  no  solution  exists.  For  example,  consider  the  equation  x  =  x  +  1 
defined  over  the  real  numbers;  there  is  no  value  of  x  which  satisfies  it.  Similarly  it  is 
possible  to  specify  objects  using  the  formal  specification  language  Z  [3,4],  which  can  not 
possibly  exist  Such  specifications  are  called  inconsistent  and  can  arise  in  a  number  of 
ways. 

Example  1 

The  following  Z  specification  of  a  function  /,  from  integers  to  integers 

V  x :  2:  |  x  £  0  *fx  =  x  +  1  (i) 

V  x :  2:  |  x  Z  0  »fx  =  x  +  2  (ii) 

is  inconsistent,  because  axiom  (i)  gives  /  0  =  1,  while  axiom  (ii)  gives  f  0  =  2.  This 
contradicts  the  fact  that  /  was  declared  as  a  function,  that  is,/ must  have  a  unique  result 
when  applied  to  an  argument.  Hence  no  such / exists.  Furthermore,  if/0  =  1  and  fO  =  2 
then  1=2  can  be  deduced!  From  1=2  anything  can  be  deduced,  thus  showing  the 
danger  of  an  inconsistent  specification. 

A 

Note  that  all  examples  and  proofs  start  with  the  word  Example  or  Proof  and  end  with  the 
symbol  A. 

1.1  Free  types 

Another  way  in  which  inconsistencies  can  arise  in  Z  specifications  is  in  the  use  of 
free  types.  Unlike  given  sets,  a  free  type  has  some  structure.  Strictly,  in  Z,  there  is  a 
difference  between  a  type  and  its  underlying  set,  but  from  here  on,  a  type  and  its 
underlying  set  are  regarded  as  equivalent.  Z  has  a  very  powerful  method  for 
introducing  free  types,  but  this  power  can  lead  to  inconsistencies.  The  general  form 
for  a  free  type  definition  is 

T  ::=  cl  | ...  |  cm  |  dl  «  El[T]  »  | ...  |  dn  <(  En[T]  »  (1) 

This  defines  a  new  type  T  to  be  the  labelled  disjoint  union  of  cl,  ...  ,  cm, 

E1[T], ....  En[T\.  The  E1[T\ . En[T]  are  set  valued  expressions  which  may  involve  T; 

if  any  of  them  do  involve  T  then  T  is  a  recursive  free  type.  The  elements  of  T  are  the 
ci  and  anything  of  the  form  di  x  where  x  is  an  element  of  Ei[T).  Expression  1  need  not 
have  any  arms  ci  or  it  need  not  have  any  arms  di «  Ei[T] »,  but  obviously  it  must  have 
at  least  one  arm. 
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If  T  is  a  recursive  free  type,  it  must  have  one  or  more  "base  elements";  elements  to 
enable  other  more  complicated  elements  to  be  constructed.  The  following  example 
illustrates  this  concept. 

Example  2 

A  particular  example  of  a  free  type  is 

T  ::=  a  |  b  «  D  » |  c  «  F  x  T  » 

where  D  and  F  are  given  sets.  T  is  a  recursive  free  type,  and  comparing  it  with  (1)  gives 

cl  —  a,  dl  —  b,  d2  —  c,  E1[T)  =  D,  E2[T\  =  FxT 

The  "base  elements"  of  T  come  from  the  first  two  arms.  They  are  a  and  anything  of  the 
form  b  d  for  some  element  d  of  D.  These  can  then  be  used  to  build  up  more 
complicated  elements  using  the  third  arm,  for  example 

c  (fl,  b  d) 

for  some  element  fl  of  F.  These  more  complicated  elements  can  then  themselves  be 
used  to  build  up  even  more  complicated  elements,  for  example 

c(J2,c(fl,bd)) 


for  some  element  f2  of  F,  and  so  on. 

A 

The  general  free  type  definition  (1)  is  simply  shorthand  for  the  following  Z 
IT] 

cl, ...  ,cm:T 

dl:El[T}»T  (2) 

dn  :  En[T]  >->  T 

disjoint  ({cl }, ... ,  {cm},  ran  dl, ... ,  ran  dn)  (i) 

VH'.IPT* 

{cl . cm}  u  dllEl [W]I u  ...  u  dnlEn[W\J c  W  (u) 


The  ci  are  declared  as  elements  of  T,  while  the  di  are  declared  as  injective  functions 
(known  as  the  constructors  of  T)  from  Ei[T\  to  T.  Axiom  (i)  states  that  the  elements  of 
E1[T] ... En[T]  are  mapped  onto  different  elements  of  T,  which  are  in  turn  different 
from  the  elements  cl, ... ,  cm  of  T.  Axiom  (ii)  is  known  as  the  induction  principle  for  the 
free  type,  and  can  be  used  to  prove  statements  of  the  form  V  t  :T  •  P(t),  for  some 
property  P,  by  structural  induction.  The  expression  Ei[W\  is  obtained  from  £i[7j  by 
replacing  every  free  occtr  ^nce  of  T  in  Ei[T]  by  W.  A  consequence  of  the  induction 
principle  is  that  T  contains  only  the  elements  cl,  ...  ,  cm  and  those  that  can  be 
constructed  using  dl,  ...  ,  dn.  It  contains  no  other  elements  than  these.  Incidentally,  as 
W  has  type  I PT  in  axiom  (ii),  and  so  W  c  T,  then  the  sub-predicate  T  c  W  of  axiom  (ii) 
may  be  replaced  with  T  »  W  if  desired. 

Example  3 

For  the  free  type  in  example  2,  the  general  form  in  (2)  becomes 

m 

a :  T 

b:D>*T 

c:(FxT)»T 


disjoint  ({a},  ran  b,  ran  c) 

V  W:PT» 

{a}  u  bWi  u  clF  x  Wll  c  W 
=>  T^W 


A 

For  some  recursive  free  types,  the  objects  specified  in  (2)  can  not  possibly  exist.  To 
see  how  easily  this  can  happen,  consider  examples  4, 5  and  6. 

Example  4 

Consider  a  programming  language  whose  values  are  either  booleans  or  functions 
involving  booleans.  To  give  a  semantics  for  this  language,  using  the  specification 
language  Z,  the  following  free  type  might  be  used  to  express  the  values  of  the 
language 


Value  :;=  bool  <C  {7",  F}  »  |  fun  d  Value  — *  Value 

It  states  that  values  are  either  booleans  or  functions  from  values  to  values.  From  (2), 
one  of  the  declarations  is 


fun :  (Value  —*  Value)  >-»  Value 
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But  no  such  fun  can  exist,  because  for  any  set  Value,  the  size  of  the  set  Value  — >  Value 
is  always  greater  than  the  size  of  Value.  Thus  there  is  no  total  injective  function  from 
Value  — »  Value  to  Value.  So  the  free  type  Value  can  not  possibly  exist,  and  any 
semantics  based  on  this  free  type  will  be  invalid. 

I  A 

Example  5 

For  a  more  rigorous  argument  of  why  a  certain  free  type  does  not  exist,  consider  a 
slightly  simpler  version  of  example  4,  namely 

Value  ::=  fun  «  Value  — >  (T,  F]  » 

Here,  the  "base  element"  of  Value  is  fun  {}  since  {}  is  an  element  of  Value  —>  {Tf}. 
But  again,  this  free  type  does  not  exist  because  no  function 

fun  :  (Value  — >  (T,  F})  >-»  Value 

exists.  The  reason  is  as  follows.  The  size  of  Value  —*  {TjF}  is  2nValue ,  since  each 
element  of  Value  can  be  mapped  to  one  of  two  values.  By  Cantor's  theorem 

ttValue  <  2*Value,  for  any  set  Value  (even  infinite).  Thus  no  total  injective  function  fun 
from  Value  — »  {T,F}  to  Value  can  possibly  exist,  and  hence  the  free  type  Value  does  not 
exist. 

A 

Example  6 

In  Spivey  [5],  a  rigorous  argument  is  given  which  can  be  used  to  explain  why  the  free  type 
i  T  .  :=  c  «  IPT  » 

does  not  exist.  The  argument  is  as  follows.  Define  the  subset  U  of  T,  where 

i  U=  {V  :PT\cVe  V»cV} 

i 

,  Now  for  any  set  5  :  IPT 


<* 

cSe  U 

3V :  WT  \cV  €  V«cV=  cS 

[definition  of  £/] 

& 

3  V :  IPT  |  c  V  «  V*V=S 

[c  is  an  injection] 

3V:I PT»(cV*  V)a(V=S) 

[first  order  predicate  calculus] 

3  V ;  WT  »(cS  €  S)a(V  =  S) 

["] 

(cS*  Sj  a  3V :  IPT  •  V  =  S 

[") 

cS  c  S 

[an  existential  witness  for  V  is  5] 
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r 

So  the  following  theorem  has  been  derived 

Y  VS:WT»(cSe  U)&(cS*  S)  (3) 

Specializing  theorem  (3)  with  S  =  U,  the  following  contradictary  theorem  is  obtained 

Y(cUe  U)&(cU*  U) 

and  so  the  free  type  T  does  not  exist  (an  alternative  argument  for  why  T  does  not  exist 
would  be  similar  to  that  in  example  5,  since  the  size  of  f PT  is  2*T). 

A 

Example  7 

Now  consider  the  free  type 


T  ::=  c  «  F7- »  (4) 

where  FT  is  the  set  of  all  finite  subsets  of  T.  This  time  T  exists,  so  it  interesting  to  see 
where  the  contradiction  in  example  6  breaks  down.  If  the  reasoning  of  example  6  is 
followed,  but  with  F  replacing  every  occurrence  of  P,  then  a  theorem  similar  to  (3)  is 
obtained,  namely 


h  V5  :  Ff  •  (c  S'  6  U)&  (cS  €  S)  (5) 

But  this  time,  there  is  no  guarantee  that  the  set 

U=  {V;FT|cV«  V*cV} 

has  type  F7"  and  so  specializing  theorem  (5)  with  S  =  U  is  not  valid.  The  reason  why 
U  could  be  infinite,  that  is,  not  of  type  FT,  is  as  follows.  Clearly,  any  set  T  which 
satisfies  (4)  is  infinite.  As  T  is  infinite,  U  could  be  infinite,  since  there  will  be  an 
infinite  number  of  sets  V  :WT  (remember  if  T  is  infinite  then  the  set  FT  is  infinite;  it  is 
just  the  dements  of  FT,  themselves  sets,  that  are  finite).  Thus  U  could  consist  of  an 
infinite  number  of  c  V. 

A 

1.2  Recursive  functions 

Having  specified  a  recursive  free  type,  the  Z  user  will  more  than  likely  want  to 
specify  a  recursive  function  over  the  free  type.  This  use  of  recursive  functions  is 
another  way  inconsistencies  can  arise  in  Z  spedfications.  Even  if  the  recursive  free 
type  exists,  the  recursive  function  may  not. 
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Example  8 

The  natural  numbers  can  be  considered  as  a  free  type,  namely 

nat  ::=  0 1  sue  «  nat » 

Thus  nat  =  {0,  sue  0,  suc(suc  0), The  factorial  function  /  below  exists  (where  the 
abbreviation  1  has  been  used  for  sue  0 ) 

I  ! :  nat  —*  nat 


0!  =  1 

V  n  :  nat  •  (sue  n)!  =  (sue  n)  x  n! 
But  the  function  /below  does  not  exist 

I  f:  nat—*  nat 


f  0  =  0 

|  V  n  :  nat*  suc(f(suc  n))  -  (f  n) 

since  the  second  axiom  gives  suc(f  1)  -  f  0  (when  n  =  0).  This  together  with  the  first 
axiom  gives  suc(f  1)  =  0.  Now  / 1  can  not  possibly  be  an  element  of  nat,  for  if  it  was 
then  the  equation  suc(f  1)  -  0  would  contradict  one  of  the  axioms  of  the  free  type  nat, 
namely 


disjoint  {{0},  ran  sue ) 

Even  if  the  result  of  a  function  on  the  argument  1  is  specified  directly,  for  example 

i  g  :  nat  — *  nat 


80  =  0 
gl=0 

V  n  :  nat  •  gfsuc  n)  -  suc(g  n) 

then  this  could  lead  to  problems  as  well,  since  g  does  not  exist  either.  The  reason  is 
that  the  third  axiom  gives  g  1  =  suc(g  0)  (when  n  =  0).  This  together  with  the  first 
axiom  gives  g  1  =  1 ,  which  together  with  the  second  axiom  gives  0=1. 

A 
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1.3  Content  of  the  report 


Two  ways  of  proving  that  a  Z  recursive  free  type  exists,  are  discussed.  The  first 
method  is  to  prove  the  finitary  condition  for  the  free  type.  This  is  discussed  in  section 

2.1,  which  also  contains  a  strategy  for  proving  the  finitary  condition.  From  this 
strategy  it  can  be  seen  that  a  recursive  free  type  T  will  exist  provided  that  each  arm 
d  «  E[T] »  that  contains  T  is  such  that  each  element  of  E{T]  is  formed  from  a  finite 
number  of  elements  of  T.  In  particular,  recursive  free  types  containing  only  the 
constructions  x,  F,  -w*  and  seq  will  exist. 

The  second  method  for  proving  that  a  recursive  free  type  exists,  discussed  in  section 

2.2,  is  to  use  a  definitional  extension.  The  idea  here  is  to  construct  a  representation  of 
the  free  type;  the  representation  being  a  non-empty  subset  of  an  already  existing 
type.  The  free  type  is  then  made  isomorphic  to  its  representation.  The  free  type  must 
then  exist  since  it  is  isomorphic  to  a  non-empty  subset  of  an  already  existing  type. 
The  particular  representation  discussed  is  to  use  a  set  of  labelled  trees  to  represent 
the  free  type. 

A  technique  for  proving  that  a  recursive  function  defined  over  a  recursive  free  type 
exists,  is  also  discussed.  A  theorem  called  the  primitive  recursion  theorem  (PRT)  for  the 
free  type,  is  used  to  derive  another  theorem  stating  the  existence  of  the  function. 
Using  the  definitional  extension  method,  the  PRT  can  be  proved  from  the 
representation;  otherwise,  having  proved  the  finitary  condition,  the  PRT  may  be 
stated  as  an  axiom.  The  PRT  is  discussed  in  section  3.  Section  4  contains  a  section 
on  rules  of  thumb  for  the  Z  practitioner,  on  how  to  avoid  writing  inconsistent  free 
types  and  recursive  functions,  as  well  as  a  summary  and  the  conclusions  of  the 
report. 


2  Proving  recursive  free  types  exist 

The  Z  practitioner  who  is  interested  in  some  handy  rules  of  thumb  for  avoiding 
inconsistent  free  types,  rather  than  the  details  presented  in  this  section,  should  go  to 
section  4.1. 

2.1  The  finitary  condition 

In  Spivey  [3],  a  proof  obligation  is  given  which,  if  satisfied,  means  that  the  recursive 
free  type  exists.  This  condition  is  called  the  finitary  condition,  and  is  a  sufficient,  but 
not  a  necessary  condition.  The  general  form  of  a  free  type  definition  is 

T  ::=  cl  | ...  |  cm  |  dl  «  El  [7]  »  | ...  |  dn  <i  En[T)  » 

where  E1[T),  ...  ,  En[T]  are  expressions  which  might  involve  T.  If  any  of  them  do 
involve  T,  then  of  course  T  is  a  recursive  free  type.  T  then  exists  provided  that  each 
Ei[T\  that  does  involve  T,  is  a  finitary  construction  of  T.  Roughly  speaking,  a 
construction  is  finitary  if  each  element  of  it  is  built  from  a  finite  number  of 
elements  of  T.  In  such  cases,  as  an  element  of  T  is  built  from  a  finite  number  of  other 
elements  of  T ,  each  element  of  T  can  be  "listed"  in  order  (with  respect  to  some 
ordering).  The  fact  that  the  elements  of  T  can  be  "listed"  means  that  T  must  exist. 

Example  9 

The  free  type 


T  ::=  a  \  b  «  L  »  |  c  «  M  x  T »  |  d  «  N  -w  T  » 

where  L,  M  and  N  are  given  sets,  will  exist  provided  that  the  two  constructions 
M  x  T  and  N  T  are  finitary.  Now,  each  element  of  the  construction  M  x  T  has  the 
form  (m,  t)  for  some  m  in  M  and  t  in  T,  and  so  is  built  from  one  element  of  T.  Thus 
M  x  T  is  finitary.  Similarly  N  T  is  finitary  because  each  element  of  N  T  has  the 
form 


{nl  w  tl,  n2  »  t2,  ...  ,nk»  tk} 

for  some  number  k  and  nl,  n2,  ...  ,  nk  in  N  and  tl,  t2,  ...  ,  tk  in  T,  and  so  consists  of  a 
finite  number  of  elements  of  T,  in  this  case  k  elements. 

A 
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Formally,  from  Spivey  [3],  a  construction  £[71  is  a  finitary  construction  of  T,  if  for  any 
countably  infinite  sequence  of  subsets 

Xj  CX2=*J=  " 

of  a  set  X,  the  following  condition  is  satisfied 

\MWfr  =  E[U(X{)]  (6) 

This  condition  must  be  proved  for  any  set  X.  The  generalized  unions  U,  are  summing 
terms  from  1  to  infinity.  Thus  the  left  hand  side  (LHS)  of  (6),  means 

E[Xj]  u  E[X2. 1  u  E[X3]  u  ... 

and  the  right  hand  side  (RHS)  of  (6)  means 

E[Xj  u^uXjU  ...] 

For  any  set  S,  the  expression  £[S]  is  obtained  from  E[T\  by  replacing  all  free 
occurrences  of  T  in  £[71  by  5.  In  Spivey  [3],  the  finitary  condition  is  stated  slightly 
differently  to  (6).  It  is  equivalent  but  also  requires  a  construction  £[71  to  be  monotonic, 
that  is,  if  A  c  B  then  £[/4]  c  £[£].  Condition  (6)  is  the  same  as  that  stated  in  Arthan  [6]. 
Arthan  points  out  that  any  construction  £[71  satisfying  (6)  is  also  monotonic,  and  the 
proof  of  this  is  as  follows. 

Proof 

Suppose  £[71  satisfies  (6)  and  A  c  fi.  From  this  it  must  be  shown  that  £[-4]  £  £[£].  As 
(6)  is  true  for  any  countably  infinite  sequence  of  subsets,  then  in  particular  it  must  be 
true  for 

A^BqB^Bq...  (one  A,  the  rest  B) 


In  this  case  (6)  gives 

E[A]  u  E[B]  u  £[£]  u  £[fl]  u  ...  =  E[A  u  B  u  B  u  B  u  ...] 
which  can  be  simplified  to 

£[A]u£[5]  =  £[/luB]  (7) 
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But  A  c  B  and  so  A  u  B  =  B,  hence  from  (7) 

E[A]  u  E[B]  =  E[B] 

From  this,  it  must  be  the  case  that  £[A]  c  £[B]  as  required. 

A 

It  is  now  instructive  to  see  the  finitary  condition  (6)  proved  for  a  particular  construction. 

Example  10 

Consider  the  construction  E[T)  =  7x7.  From  (6),  the  following  condition  must  be  proved 

V(XtxXi)  =  (8) 

for  any  countably  infinite  sequence  of  subsets  Xj  of  any  set  X.  Notice 

that  (8)  is  an  equality  between  two  sets.  It  can  therefore  be  proved  from  the  two 
statements 


UfXiXXi)  C  (9) 

2  UPCJxUfXJ  (10) 

Statement  (9)  is  the  most  straightforward  and  will  be  proved  first.  Let  a  be  an  element  of 
the  LHS.  It  must  be  shown  that  a  is  an  element  of  the  RHS.  From  the  definition  of  U,  if  a 
is  an  element  of  the  LHS  then  for  some  number  n 

ae  XnxXn 

n  n 

Therefore 


(fst(a)  e  Xn)  a  (snd(a)  e  Xn) 


Using  the  definition  of  U 


(fst(a)  €  U (XJ)  a  (snd(a)  e  U(X,)) 


and  so 


ae  \J(Xt)  x  U(Xi) 


as  required. 
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The  proof  of  (10)  is  as  follows.  This  time  if  a  is  an  element  of  the  RHS  then  it  must  be 
shown  that  a  is  an  element  of  the  LHS.  If  a  is  an  element  of  the  RHS  then 

(fst(a)  €  U(X())  a  (snd(a)  6  U(X()) 

From  the  definition  of  U,  then  for  some  m  and  n 

(fst(a)  e  Xm)  a  (snd(a)  e  Xn)  (1 1) 

Let  max  be  the  larger  of  the  two  numbers  m  and  n.  Then  certainly 

(m  £  max)  a  (n£  max)  (12) 

Now  Xj  <zX2  gX3  c  ....  and  so  from  (12) 

=  (13) 

From  (11)  and  (13) 

(fst(a)  e  Xmax)  a  (snd(a)  e  X^) 

Thus 


and  so  from  the  definition  of  U 


a  e  X 


max 


xX 


max 


ae  U (Xj-xX,-) 

as  required. 

A 


The  proof  of  the  finitary  condition  for  other  constructions  is  similar  to  above.  Recall 
that  the  finitary  condition  is  =  £[U(X,)],  and  this  can  be  proved  by  proving 

the  two  conditions 


U(£[X,])  C  £[U(X,)]  (i) 

U  (£[*,])  2  £[U(X,j]  (u) 


The  proof  of  (i)  is  fairly  straightforward,  and  the  proof  of  (ii)  involves  constructing  a 
number  max  as  in  the  above  proof  of  the  finitary  condition  for  £[71  =  7x7.  The 
intuition  behind  max  is  as  follows.  The  proof  of  (ii)  is  achieved  by  showing  that  if  a  is  in 
the  RHS  then  it  is  also  in  the  LHS.  Now  if  a  is  in  the  RHS  then  it  is  formed  from 
elements  of  U(X,)  (which  shall,  for  die  rest  of  this  paragraph,  be  called  the 
components  of  a).  So  each  of  these  components  must  be  in  Xn  for  some  number  n.  If 
£[7]  is  finitary  then  there  will  only  be  a  finite  number  of  such  n.  The  number  max  is  the 
largest  of  these  numbers  n.  Having  obtained  max,  the  proof  of  (ii)  can  then  be 
completed,  since  all  the  components  of  a  will  be  in  Xmax  (as  the  Xt  form  an  infinite 
sequence  of  subsets).  Thus  a  can  be  constructed  from  elements  of  Xmax,  that  is  a  is  in 
E\.Xmax\  ^  so  is  in  the  LHS  of  (ii).  A  few  examples  of  constructing  max  for  various 
constructions  £[71  will  now  be  given. 

Example  11 

Consider  £[7]  =  WT.  (ii)  above  becomes 

u(W(Xt))  a  W(u(Xt)) 


To  prove  this,  it  has  to  be  shown  that  if  a  is  an  element  of  the  RHS,  then  a  is  also  an 
element  of  the  LHS.  If  a  is  an  element  of  the  RHS,  then  from  the  definition  of  F,  a  is  a 
subset  of  UfX,).  So  every  element  x  of  a  is  also  an  element  of  UfX,-).  and  by  the 
definition  of  U,  is  also  an  element  of  Xn(l),  for  some  number  n(x).  This  number  is 
written  as  n(x)  to  show  its  dependence  on  x.  The  number  max  is  then  the  largest  of  the 
numbers  n(x),  that  is,  the  largest  of  the  set  of  numbers 

{x :  a  •  n(x)} 


A 

Example  12 

Consider  £[71  =  B  -#»  T,  where  £  is  a  given  set.  This  time  (ii)  above  is 

U(5 a  fi-wurx,) 

Once  again  it  has  to  be  shown  that  if  a  is  an  element  of  the  RHS,  then  it  is  also  an 
element  of  the  LHS.  If  a  is  an  element  of  the  RHS,  then  ran(a)  is  a  subset  of  U(X,).  So 
every  element  x  of  ran(a)  is  also  an  element  of  U(X{-J,  and  by  the  definition  of  U,  is  also 
an  element  of  X^,  for  some  number  n(x).  The  number  max  is  then  the  largest  of  the 
numbers  n(x),  that  is,  the  largest  of  the  set  of  numbers 


13 


{x :  ran(a)  •  n(x)} 


A 

Example  13 

As  a  final  example  of  finding  max,  consider  E[T]  =  T  x  WT  which  contains  both  x  and  IF. 
This  time  (ii)  above  is 


u(xt  x  W(x{))  a  \j(Xi)  x  w  (u(xt)) 

Once  again  it  has  to  be  shown  that  if  a  is  an  element  of  the  RHS,  then  it  is  also  an 
element  of  the  LHS.  If  a  is  an  element  of  the  RHS,  then  fst(a)  is  an  element 
of  UPCj)  and  snd(a)  is  an  element  of  W(U(Xj)).  So  by  the  definition  of  KJ,fst(a)  is  an 
element  of  Xm  for  some  number  m,  and  from  the  definition  of  F,  snd(a)  is  a  subset  of 
UPC}).  So  every  element  x  of  snd(a)  is  also  an  element  of  UfX^,  and  by  the  definition  of 
U,  is  also  an  element  of  Xn/X),  for  some  number  n(x).  The  number  max  is  then  the 
largest  of  the  set  of  numbers 


{ m }  u  {jc  :  snd(a)  •  n(x)} 


A 

So  it  can  be  seen  that  a  construction  £[71  is  finitary  if  each  element  of  E[T)  is  made 
from  a  finite  number  of  elements  of  T.  In  particular,  constructions  of  T  just  involving  x, 
F,  -h»  and  seq  will  be  finitary,  for  example 

(A  xT)  -*>  (seq  T) 

where  A  is  a  given  set.  From  examples  10,  11,  12  and  13  it  can  be  seen  that  the 
formation  of  max  in  such  cases  could  be  automated.  Thus  some,  if  not  all,  of  the  proof 
of  the  finitary  condition  for  a  recursive  free  type  involving  only  x,  F,  and  seq  could 
be  automated. 

2.1.1  The  finitary  condition  and  the  world  of  sets 

In  Spivey[4],  a  semantics  of  the  Z  language  is  given.  This  semantics  is  in  terms  of  a 
world  of  sets,  W,  in  which  everything  is  a  set  The  idea  is  that  the  meaning  of  each 
piece  of  Z  can  be  explained  by  giving  it  a  representation  in  W.  The  relationship  between 
a  piece  of  Z  and  its  representation  is  known  as  a  model  for  the  piece  of  Z  The  axioms 
of  W  are  those  of  Zermelo-Fraenkel  set  theory,  but  with  the  axioms  of  replacement  and 
choice  omitted.  But  there  has  been  some  discussion  recently  as  to  whether  all 
finitary  free  types  have  a  model  in  W,  and  hence  whether  a  semantics  can  be  given  for 
them.  It  is  not  obvious  that  every  finitary  free  type  has  a  model  in  W.  But  Arthan  [6]  has 
shown  that  if  the  axiom  of  choice  is  added  to  the  axioms  of  W  then  it  is  certain  that 
every  finitary  free  type  has  a  model  in  W. 


2.2  Definitional  extension 


Another  way  to  be  sure  that  a  recursive  free  type  exists  is  to  use  a  definitional  extension. 
A  definitional  extension  is  where  a  new  object  is  defined  in  terms  of  existing 
objects,  in  a  way  that  ensures  the  existence  of  the  new  object  In  the  case  of  free 
types,  this  means  defining  a  free  type  in  terms  of  a  subset  of  an  existing  type.  The 
subset  is  identified  by  supplying  a  predicate  over  the  existing  type.  The  subset 
consists  of  all  those  elements  of  the  existing  type  which  satisfy  the  predicate.  There 
is  a  proof  obligation  that  the  subset  is  non-empty.  The  free  type  is  then  simply 
defined  to  be  isomorphic  to  the  subset  The  constructors  of  the  free  type  are  then 
defined. 

The  subset  described  above  is  thus  a  representation  of  the  free  type,  and  the  trick  is 
to  find  the  right  representation  that  truly  captures  the  semantics  of  the  free  type.  It 
will  soon  become  obvious  this  is  not  the  case,  if  the  usual  properties  of  the  free  type 
can  not  be  proved  from  the  representation  (for  example  that  the  constructors  arc 
injective).  The  work  presented  here  is  based  on  Melham  [2],  but  has  been  extended  to 
deal  with  more  complicated  free  types.  Melham's  work  can  only  be  used  to  show  how  a 
free  type  T  involving  existing  types,  x  and  simple  occurrences  of  T,  for  example 

T  ::=  c  «  A  x  T  »  |  d«  B  x  T  x  T  » 

where  A  and  B  are  given  sets,  can  be  represented.  It  can  not  be  used  for  example,  to 
show  how  the  free  type 

T  :.  =  c  «  A  -h*  T  » 

can  be  represented.  The  reason  why  Melham  did  not  consider  more  complicated  free 
types  is  so  that  the  work  could  be  easily  automated  in  the  HOL  theorem  proving 
system  [1].  Both  the  representation  of  the  free  type  and  the  proof  of  the  primitive 
recursion  theorem  (used  to  prove  the  existence  of  recursive  functions  over  recursive 
free  types,  see  section  3)  has  been  automated  in  HOL.  The  ML  function  in  HOL 
which  does  this  is  called  define  type.  This  section  first  describes  Melham's  work  and 
then  shows  how  it  can  be  extended. 

In  Melham's  work,  a  set  of  labelled  finite  trees  is  used  to  represent  a  free  type.  The 
actual  labels  used  and  die  shape  of  the  trees  depends  on  the  particular  free  type. 
Labelled  trees  can  themselves  be  defined  using  a  definitional  extension.  The  type 
used  to  represent  labelled  trees  can  also  be  defined  using  a  definitional  extension, 
and  so  on.  In  fact,  any  new  type  in  HOL  can  be  built  up  from  existing  types  using  a 
definitional  extension.  Melham's  work  for  free  types  is  best  expained  by  an  example. 
The  following  example  is  explained  using  Z,  but  the  annex  shows  how  define  jype  in 
HOL  automatically  constructs  the  representation.  The  annex  also  shows  how 
define  jype  automatically  proves  the  primitive  recursion  theorem  for  the  free  type. 
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Example  14 
Consider  the  free  type 


T  ::=  c  €A)\d<lB  xTxT* 

where  A  and  B  are  given  sets.  An  element  of  T  can  be  represented  by  a  tree  labelled 
with  elements  of  Tlabels  where 

Tlabels::=l*A»\r1LB» 

Note  that  the  free  type  Tlabels  exists  as  it  is  simply  the  labelled  disjoint  union  of  A  and 
B,  and  is  not  recursive.  In  general,  Tlabels  will  have  the  same  number  of  arms  as  T.  Let 
Tlabelsjtree  denote  the  type  of  trees  of  any  shape  whose  nodes  are  labelled  with 
elements  of  Tlabels.  The  free  type  T  is  to  be  represented  by  a  subset  of  Tlabelsjtree.  An 
element  c  a  of  T,  can  be  represented  by  the  tree 

la 


An  clement  d(b,tl,t2)  of  T,  where  b  is  an  element  B  and  tl,t2  are  elements  of  T  can  be 
represented  by  the  tree 


rb 

• 

A 

/  \ 

/  \ 

/  \ 

/  \ 

/  \ 

•  • 

REP  tl  REP  t2 

where  REP  tl  and  REP  12  are  the  tree  representations  of  tl  and  t2.  Let 
Node  label  subtreejseq  denote  the  tree  with  top  node  labelled  with  label ,  and  sequence 
of  subtrees  subtree_seq  from  that  node.  Then  basically,  a  tree  will  represent  an 
element  of  T  provided  that 

(3  a  :  A*  label  =  la)  a  f#  subtree _seq  =  0) 
v  (3b: B*  label  =  rb)  a  f#  subtreeseq  =  2) 


I 
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r 


Actually,  as  it  stands,  the  above  predicate  only  describes  the  top  of  such  a  tree.  For 
example,  there  will  be  trees  satisfying  the  above  predicate  which  contain  a  node 
(lower  down  the  tree)  with  three  or  more  subtrees  branching  from  it.  But  such  trees 
do  not  represent  elements  of  T.  For  this  reason,  the  above  predicate  is  strengthened  by 
applying  a  function  TRP  (see  annex).  This  function  makes  sure  that  the  above 
predicate  holds  all  the  way  down  the  tree.  The  resulting  predicate  then  characterises 
the  subset  of  T labels  Jtree  which  is  to  represent  T.  Next,  the  free  type  T  is  simply 
defined  to  be  isomorphic  to  the  subset,  giving  the  isomorphisms  REP  of  type 
T  — *  Tlabels  Jtree  and  ABS  of  type  T labels  Jtree  — »  T.  The  constructors,  c  and  d  of 
T  can  now  be  defined: 

V  a :  A  •  c  a-  ABS(Node  (l  a)  0) 

V  b : B;  tl,  t2:T» d(b,tl,t2)  =  ABS(Node (r b)  (REP  tl, REP  t2 )) 

A 

The  next  three  examples  show  how  Melham's  technique  can  be  extended.  To  keep 
some  uniformity,  labelled  trees  will  be  used  throughout  to  represent  the  following 
three  free  types.  All  three  examples  are  explained  using  Z. 

Example  15 

Consider  the  free  type 

T  ;;=  c  «  seq  T  » 

This  time  let  Tlabels  be  a  type  consisting  of  a  single  value,  say  unit,  and  Tlabels  Jtree  be 
the  type  of  trees,  of  any  shape,  whose  nodes  are  labelled  with  unit.  An  element  c  s  of 
T  where  s  is  an  element  of  seq  T  can  be  represented  by  the  tree  whose  top  node  is 
labelled  with  unit  and  with  a  subtree  for  each  element  of  s;  the  subtree  being  the 
representation  of  the  element  of  s.  For  example,  the  element  c  (tl,  t2,  t3)  of  T  is 
represented  by 

unit 

• 

/|\ 

/  I  \ 

/  I  \ 

/  I  \ 

/  1  \ 

/  I  \ 

•  •  • 

REPtl  REP  (2  REP  t3 
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In  fact,  every  element  of  Tlabelsjtree  will  represent  some  element  of  T.  Thus  T  is 
represented  by  the  whole  of  Tlabelsjtree.  So  the  predicate  which  characterises  the 
required  subset  of  Tlabelsjtree  is  simply  true.  The  free  type  T  is  then  defined  to  be 
isomorphic  to  the  whole  of  Tlabelsjtree  and  the  constructor  c  is  then  defined  as 

Vs:  seq  T  •  c  s  -  ABS(Node  unit  ( map  REP  s)) 

where  map  REP  s  is  the  sequence  consisting  of  the  representations  of  die  elements  of  s. 

A 

Example  16 

Consider  the  free  type 


T  ::=  c  «  FT  » 


Let  Tlabels  and  Tlabelsjtree  be  those  of  the  last  example.  This  time,  only  a  subset  of 
Tlabelsjtree  will  represent  T.  This  is  because  distinct  elements  such  as  c  (tl,  t2)  and 
c  ( t2 ,  tl)  in  the  last  example,  collapse  down  to  the  single  element  c  {tl,  t2}  in  this 
example.  Hence,  loosely  speaking,  the  free  type  in  this  example  does  not  have  so 
many  elements  as  the  free  type  in  the  last  example,  and  so  its  representation  will 
not  have  so  many  elements.  Consider  an  element  c  { tl,t2 }  of  T.  As 
c  {tl,t2}  =  c  {t2,tl}  then  which  one  of  the  two  trees 


unit 


A 

/  \ 

/  \ 

/  \ 

/  \ 

/  \ 

•  # 

REP  tl  REP  t2 


unit 


A 

/  \ 

/  \ 

/  \ 

/  \ 

/  \ 

•  • 

REP  t2  REP  tl 


should  be  used  as  the  representation?  The  problem  is  overcome  by  defining  a  function 


r 


which  converts  a  set  into  a  sequence;  it  orders  the  elements  of  the  set.  The 
particular  ordering  produced  by  set_seq  is  not  important,  only  the  fact  that  that  they 
are  ordered.  The  function  set_seq  is  a  polymorphic  function  and  so  can  be  applied  to  a 
set  of  anything.  This  function  can  be  used  to  determine  which  of  the  two  trees  above 
should  be  used  as  the  representation  of  c  { tl,t2 }.  Suppose 

setjieq  {REP  tl ,  REP  t2}  =  (REP  t2,REP  tl),  then  the  right  hand  tree  above  will  be 
used  as  the  r  presentation  of  c  {*/,£}.  Basically,  a  tree  Node  label  subtree_seq  will 
represent  an  ele^ient  of  T  provided  that  the  following  predicate  holds 

subtree_seq  e  (ran  set  seq) 

Once  again,  as  explained  in  example  14,  the  function  TRP  must  be  applied  to  the  above 
predicate,  to  give  the  actual  predicate  which  characterises  the  required  subset  of 
Tlabelsjtree.  Once  again,  T  is  then  defined  to  be  isomorphic  to  this  subset.  The 
constructor  c  is  then  defined  as 

V  s  :  WT  •  c  s  =  ABS(Node  unit  (set_seq(REP  bljjj 


A 

Example  17 

Consider  the  free  type 


T  ::=  c  «  A  T  » 

where  A  is  a  given  set.  This  time  let  Tlabels  =  FA,  and  as  usual  Tlabelsjtree  be  the 
type  of  trees,  of  any  shape,  labelled  with  elements  of  Tlabels.  An  element  c/of  T  can  be 
represented  by  the  tree  whose  top  node  is  labelled  dom  f  and  which  has  a  subtree 
representing  each  /  a,  where  a  is  in  dom  f.  The  order  of  these  subtrees  can  again  be 
determined  by  the  function  setjseq  which  appeared  in  the  last  example.  For  example, 
consider  the  element  c  {al  tl,  a2  »  t2,  a3  t*  t3)  of  T.  Suppose 
setjseq  {al,  a2,a3}  =  (a3,  al,  a2).  Then  this  element  of  T  can  be  represented  by 

{al,a2,a3} 

• 

/|\ 

/  I  \ 

/  I  \ 

/  I  \ 

/  I  \ 

/  I  \ 

•  •  • 

REP  l3  REPtl  REP  C 
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An  element  of  Tlabelsjtree  will  represent  an  element  of  T  provided  that,  at  every  node, 
the  cardinality  of  die  label  is  equal  to  the  number  of  subtrees  from  that  node.  So, 
basically  an  element  Node  label  subtree  jeq  of  Tlabelsjtree  is  a  representation  if 

Mabel  =  #subtree_seq 

Once  again,  as  explained  in  example  14,  the  function  TRP  must  be  applied  to  the  above 
predicate.  After  defining  T  to  be  isomorphic  to  the  required  subset  of  Tlabelsjtree ,  the 
constructor  c  can  be  defined  as 

V/.M*r*c/=  ABS(Node  ( dom  f)  ( map  (REP  of)  (set_seq(dom  f)))) 

A 

2.2.1  Problems  with  using  definitional  extensions 

Recall  that  using  definitional  extensions  to  define  free  types  involves  a  proof 
obligation  that  the  subset  of  the  existing  type  is  non-empty.  The  free  type  is  then 
made  isomorphic  to  this  subset.  This  proof  obligation  only  ensures  that  the  free  type 
is  non-empty.  It  does  not  ensure  that  the  free  type  has  the  intended  semantics.  For 
example,  consider  the  free  type  T  c«FT»  in  example  16.  Suppose  the  mistake 
was  made,  that  the  predicate  characterising  the  subset  of  Tlabels  jtree  was  too  strong,  so 
that  only  the  tree 

unit 


satisfied  it  Then  this  subset  of  one  tree  certainly  satisfies  the  proof  obligation,  but 
the  free  type  would  then  only  have  one  element,  since  the  free  type  is  made 
isomorphic  to  this  subset.  The  free  type  would  then  not  have  the  semantics  of  T,  since 
T  has  an  infinite  number  of  elements. 

Another  problem  with  using  definitional  extensions  is  when  the  free  type  is 
complicated.  For  example,  what  representation  should  be  used  for  the  free  type 
T ::=  cdWWTTbl  If  labelled  trees  are  used  as  the  representation  of  such  free  types, 
then  the  representation  certainly  will  not  be  as  neat  as  those  discussed  so  far. 


3  Proving  recursive  functions  exist 


This  section  discusses  a  way  of  proving  that  a  recursive  function,  defined  over  a 
recursive  free  type,  exists.  The  Z  practitioner  who  is  interested  in  some  handy  rules 
of  thumb  for  avoiding  inconsistent  recursive  functions,  rather  than  the  details 
presented  here,  should  go  to  section  4.2.  The  technique  described  in  this  section  is  to 
use  the  primitive  recursion  theorem  (PRT)  for  the  free  type,  to  prove  another  theorem 
which  states  the  existence  of  the  function.  The  PRT  captures  the  semantics  of  the 
free  type,  but  in  a  way  that  allows  the  existence  of  recursive  functions  to  be  proved. 
The  PRT  can  be  used  to  prove  the  existence  of  a  function  /  specified  by 
primitive  recursion  on  a  free  type  T.  That  is,  for  any  arm  d  «  E[T] »  of  T  which  contains 
T,  then  f{d  x)  where  x  is  an  element  of  E[T\,  is  specified  in  terms  of  an  expression 
involving  /  and  x.  The  following  examples  will  make  this  clear.  The  PRTs  in  the 
following  examples  can  all  be  proved  from  a  representation  of  the  particular  free 
type;  this  representation  coming  from  the  definitional  extension  method  described  in 
section  2.2.  The  annex  gives  an  example  of  this,  showing  how  the  construction  of  the 
representation  and  the  proof  of  the  PRT  is  carried  out  in  the  HOL  system.  Also,  as 
the  PRT  captures  the  semantics  of  the  free  type,  then  not  surprisingly  all  the  usual 
properties  of  a  free  type  can  be  proved  from  it.  For  example,  the  PRT  can  be  used  to 
prove  that  the  elements  of  a  free  type  T  that  can  be  generated  from  the  arms  of  T  are  the 
only  elements  of  T\  that  is  they  exhaust  T.  The  next  example,  which  proves  the 
existence  of  the  factorial  function,  /,  over  the  natural  numbers,  also  gives  some 
intuition  into  the  PRT. 

Example  IS 

The  natural  numbers  can  be  considered  as  a  free  type,  namely 

not 0  |  sue  «  not » 

The  PRT  for  not  is 


e:X;f:(Xxnat)->X» 

3]  h  :  not  — >  X  • 
hO  =  e 

a  V  n  :  not*  hfsuc  n)  =f(h  n,  n) 

The  theorem  is  generic  in  X.  The  PRT  looks  a  bit  strange  at  first,  but  it  is  simply 
saying  that  each  e  and  /  define  a  recursive  function  h  (for  example  h  could  be  the 
factorial  function);  e  is  the  base  case  and  /  is  the  body  of  h.  The  PRT  captures  the  fact, 
for  example,  that  the  elements  of  not  generated  by  its  two  arms,  exhaust  not.  The  reason 
is  as  follows.  Notice  that  the  function  A  in  the  PRT  is  unique  once  defined  on  each  arm 
of  not.  If  not  contained  any  more  elements  than  those  generated  by  its  two  arms,  then 
these  extra  elements  could  be  mapped  by  A  in  a  number  of  different  ways,  yielding  a 
different  function  in  each  case.  This  would  contradict  A  being  unique. 
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The  PRT  can  be  used,  for  example,  to  prove  that  the  factorial  function 
I  J :  nat  — >  not  (14) 


0!  =  1 

I  V  n  :  nat  •  (sue  n)f  -  (sue  n)  x  n! 

which  is  recursive,  actually  exists.  The  abbreviation  1  has  been  used  for  the  element 
sue  0  of  nat.  The  existence  theorem  for  /  is  proved  as  follows.  The  idea  is  to 
instantiate  the  generic  set  X,  and  specialize  e  and  /  in  the  PRT,  so  that  the  function  h  in 
the  PRT  becomes  the  factorial  function.  So  instantiating  X  to  be  nat,  and  then 
specializing  e  to  be  1  and  /  to  be 


X  x,  y :  nat  •  (sue  y)  xx 


the  PRT  gives 

V3j  h  :  nat  — >  nat  • 
h0=  1 

a  V  n  :  nat  •  h(suc  n)  =  (Xx, y  :  nat •  (sue y)  x  x)  (h  n,  n) 

The  RHS  of  the  second  equality  can  be  simplified  by  ^-reduction  (function  application) 
to  give 


V3j  h  :  nat  nat  • 
hO=l 

a  V  n  :  nat  •  h(suc  n)  =  (sue  n)  x  (h  n) 

This  theorem  says  that  the  factorial  function  specified  in  (14)  above,  exists.  It  is 
interesting  to  note  that  this  theorem  also  says  that  the  factorial  function  is  unique, 
and  so  could  have  been  specified  as 

==  "■  =====1 

! :  nat  nat 


0!  =  1 

V  n  :  nat  •  (sue  n)!  =  (sue  n)  x  n! 


A 
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Example  19 
Consider  the  free  type 


T::=c*A  »|d«fixT» 

where  A  and  B  are  given  sets.  The  PRT  for  T  is 

I -Vf:A->X;g:(XxBxT)-*X»  (15) 

3jh:T^>X» 

V  a  :  A  •  h(c  a)  =  /  a 
a  V  b :  B;  t  :T»  h(d(b,t))  =  g(ht,  b,  t) 

The  PRT  can  be  used  to  prove  that  the  following  function  base  exists  (which  computes 
the  base  element  of  a  member  of  T). 

j  base  :T—*T 


Va  :  A  •  base(c  a)  =  c  a 

Vb  ;  B;  t:T  •  base(d(b,t))  =  base  t 

If  the  PRT  (15)  is  first  instantiated  with  the  generic  set  X  taking  the  value  T,  and  then 
specialized  with  the  function  /  taking  the  value 

X  a  :  A  •  c  a 


and  the  function  g  taking  the  value 

X  tl  :  T;  b  :  B;  t2  :T*tl 


the  theorem 

¥3jh:T-+T> 

V  a  :  A  •  h(c  a)  =  (X  a  :  A  •  c  a)  a 
a  V  b  :  B;  t :  T  •  h(d(b,t))  =  (Xtl :  T;  b :  B ;  t2  :  T  •  tl)  (h  t,  b,  t) 

is  obtained.  This  theorem  can  then  be  simplified  by  P-reduction  to  give 

►  3  jh:T->T' 

V  a:A»Hca)-ca 
a  V  b:B;t:T»h(d(b,t))  =  ht 
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Hence  the  function  base  certainly  exists.  Once  again  it  is  unique,  and  so  could  be 
specified  as 


base  :T—>T 


Vfl :  A  •  base(c  a)  =  c  a 

Vb : B;  t  :T*  base(d(b,t))  =  base  t 


A 

Example  20 

The  PRT  can  also  be  used  to  prove  the  existence  of  a  recursive  function  that  has 
only  been  specified  on  some  of  the  arms  of  the  free  type  (that  is,  underspecified).  For 
example,  the  function 


y :  nat  —>  nat 


|  V  n  :  nat  •  y(suc  n)  =  2  x  (y  n) 

defined  over  the  free  type  of  natural  numbers  in  example  18,  has  only  been  specified 
on  the  second  arm  of  nat.  The  abbreviation  2  has  been  used  for  the  element  sucfsuc  0)  of 
nat.  There  are  many  functions  which  satisfy  the  above  specification,  each  giving  a 
different  value  for  y0.  So  any  existence  theorem  for  y  will  state  simple  existence, 
rather  than  unique  existence.  To  obtain  the  existence  theorem,  the  PRT  for  nat ,  which 
appears  in  example  18  is  first  instantiated  with  X  taking  the  value  nat,  and  then 
specialized  with  e  taking  the  value  0  (in  fact,  this  could  be  any  value  of  nat),  and  /  taking 
the  value 


\x,y :  nat  •  2  x  x 


followed  by  p-reduction  to  obtain 

Y3jh  :  nat  — *  nat  • 
hO  =  0 

a  V  n:  nat  •  h(suc  n)  =  2  x  (h  n) 


» 
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This  theorem  can  be  weakened  to  give 


►  3  h  :  nat  — >  nat  • 

hO  =  0 

a  V  n:  not*  h(suc  n)  =  2  x  (h  n) 

(the  3;  has  been  replaced  by  3),  which  in  turn  can  be  used  to  derive 

►  hO  =  0 

a  V  n:  nat*  h(suc  n)  =  2  x(hn) 
for  some  h  :  nat  — *  nat.  From  this  latest  theorem,  it  follows  that 

F  V  n  :  nat  •  h(suc  n)  =  2  x  (h  n) 

and  so 

^  3  h  :  nat  — >  nat  • 

V  n  :  nat*  h(suc  n)  =  2  x  (h  n) 

which  is  the  required  existence  theorem. 

A 

Example  21 

Consider  the  function 

j  5  :  nat  — >  nat 


|  V  n  :  nat  •  5 (sue  n)  e  {m:nat»mx  (8  n)} 

defined  over  the  free  type  of  natural  numbers  in  example  18.  The  function  Sis  even 
more  underspecified  than  yin  example  20.  This  time,  not  only  has  5 just  been  specified 
on  the  second  arm  of  nat,  but  it  is  underspecified  on  this  arm.  The  specification  of  5  can 
be  strengthened  to 

I  hj :  nat  nat 


V  n  :  nat  •  8 j(suc  n)  =  2  x  (8j  n) 


Any  8j  which  satisfies  this  new  specification  will  also  satisfy  the  specification  of  8.  The 
specification  of  8;  is  the  same  as  the  specification  of  yin  example  20,  where  it  was 
shown  that  y  existed.  Hence  8;  exists  and  thus  so  does  8. 

A 

Example  22 

Another  example  of  a  PRT,  is  that  for  the  free  type  T  ::=  c  <t  seq  T  »,  which  is 

►  V/:  (seqX  xseqT)-*X» 

3jh:T^>X» 

V  s  :  seq  T  •  h(c  s)  =  / (map  h  s,  s) 

where  map  h  s  is  the  new  sequence  formed  from  s  by  applying  the  function  h  to  each 
element  of  s.  For  example,  if  square  is  the  function  which  squares  a  number,  then 
map  square  (2, 1,5)  =  (4,  1,  25).  The  reason  why  the  expression  map  h  s  is  required  in 
the  PRT  above,  is  as  follows.  The  function  h  is  defined  by  primitive  recursion.  Thus, 
h(c  s)  will  be  defined  in  terms  of  an  expression  involving  h  applied  to  every  element  of  T 
that  directly  makes  up  the  element  c  s  of  T.  These  elements  of  T  that  make  c  s  are  the 
elements  of  s.  Hence  h  must  be  applied  to  every  element  of  s;  hence  the  expression 
map  h  s. 

A 

Example  23 

Another  example  is  the  PRT  for  the  free  type  T  ::=  c  «  FT  »  which  is 

I-  V/.  fFX  xF7V->X» 

3j  h  :  T  -4  X  • 

V  set :  WT  •  h(c  set )  =  /  (hlsetl,  set) 


A 

As  mentioned  at  the  start  of  this  section,  the  PRTs  shown  so  far  can  all  be  proved 
from  a  representation  of  the  particular  free  type;  this  representation  coming  from  the 
definitional  extension  method  as  described  in  section  2.2.  The  proof  of  the  PRT 
depends  on  the  particular  representation,  but  the  author  conjectures  that  the  PRT  for 
a  general  free  type 
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T ::=  cl  | ...  |  cm  \dl  «  £7[D  »  I ...  I  dn<L  En[T]  » 


(16) 


is 

W  el,...em:X;  (17) 

fl  :  ( E1[X )  x  E1[T ])  -»  X;  ...fn  :  (En[X\  x  En[T\)  X  • 

3  jh.T^X- 

hcl  =  el  a 

h  cm  =  em  a 

V  x :  E1[T]  •  /i(d7  x)=/7  fx',  x)  a 

V  x  :  £rt[7]  •  h(drt  x)  =  fn  (x\  x) 

where  x'  is  obtained  from  x  by  replacing  any  t  e  T  appearing  in  x,  by  h  t. 

To  see  how  the  PRT  for  a  particular  free  type  can  be  derived  from  (17),  consider  the 
next  example. 

Example  24 

Consider  the  free  type  in  example  19,  namely 

T  c  ((A))  \d<(B  xT)) 

Comparing  T  with  the  general  form  for  a  free  type  (16)  yields 

m  =  0,  n  =  2,  dl  =  c,  d2  =  d,  E1[T]  =  A,  E2[T]  =  B  xT 

Therefore  El [X]  =  A  and  E2[X)  -  B  xX.  The  general  form  for  the  PRT  (17)  therefore 
gives 


V  V/7  ;  (Ax  A)-*  X;f2  :  ((B  x  X)  x  (B  x  T))  ->  X  •  (18) 

3  }h:T-*X* 

V  x :  A*  h(cx)  =fl  (x',  x)  a 

V  x;(BxT)*h(dx)=f2(x,  x) 

Next,  the  x'are  eliminated  as  described  above.  For  any  x  :  A,  there  are  no  elements  of 
T  present  in  x,  and  so  x'  =  x.  For  x :  (B  x  T),  x  =  (b,t)  for  some  b  :  B  and  t :  T ,  and  so 
x'  =  (b,  h  t).  Thus  (18)  may  be  rewritten 

►  V/7  :  (A  x  A)  —*X;f2  :  ((B  x  X)  x  (B  x  T))  -*  X  •  (19) 

3jh:T-*X • 

V  x ;  A  •  h(c  x)  =  fl  (x,  x)  a 
*b:B;t:T •  h(d(b,t))  =f2  ((b,  h  t),  (b,t)) 
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Theorem  (19)  can  be  made  exactly  the  same  as  theorem  (15)  (the  PRT  for  T  in  example 
19)  by  specializing  it  with  the  function  fl  taking  the  value 

kx.y :  A  »fx 


and  f2  taking  the  value 

kx:  (B  x  X); y  :  (B  xT)  •  g  (snd x.fsty,  snd y) 

followed  by  ^-reduction  to  give 

*3  jh:T^>X»  (20) 

V  x :  A  •  h(cx)  -fx  a 
Vb:B;t:T»  h(d(b,t))  =  g(ht.  b,  t) 

The  functions  /  and  g  in  theorem  (20)  can  then  be  generalized,  followed  by  renaming 
the  bound  variable  x  to  be  a,  to  yield  theorem  (15). 

A 

3.1  Proving  a  primitive  recursion  theorem 

Recall  that  in  section  2,  two  methods  were  given  to  prove  that  a  recursive  free  type 
existed.  The  first  was  to  prove  the  finitary  condition;  the  second  was  to  use  a 
definitional  extension  and  construct  a  representation  for  the  free  type.  Proving  the 
finitary  condition  just  means  that  the  free  type  exists;  the  condition  itself  contains 
no  semantics  of  the  free  type  (for  example  that  the  constructors  are  injective).  The 
PRT  for  the  free  type  can  therefore  not  be  proved  directly  from  the  finitary 
condition.  Using  a  definitional  extension,  the  PRT  can  be  proved  using  the 
representation  of  the  free  type;  an  example  of  this  can  be  found  in  the  annex. 
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4.  Summary  and  conclusions 

Sections  4.1  and  4.2  contain  some  rules  of  thumb  for  Z  practitioners,  on  how  to  avoid 
writing  inconsistent  free  types  and  recursive  functions.  Section  4.3  contains  the 
general  summary  and  conclusions  of  the  report. 

4.1  Free  types 

The  following  method  can  be  used  to  see  if  a  recursive  free  type  T  exists.  Firstly 
identify  each  arm  of  the  free  type  that  involves  T.  Then,  for  each  such  arm,  check  that 
every  element  of  the  expression  inside  the  angled  brackets  ©>,  is  made  from  a  finite 
number  of  elements  of  T.  Also,  recall  from  the  introduction  that  T  must  have  one  or 
more  "base  elements";  elements  to  allow  other  more  complicated  elements  to  be 
built  up. 

Example  25 

Consider  the  free  type 

T  a  |  b  «  A  »  |  c  «  B  x  T»  |  d«  C  ■#»  T  »  |  e  «  seq  T  » 

where  A,  B  and  C  are  given  sets.  There  are  three  arms  of  this  free  type  that  contain  T, 
namely 


c  «  B  x  T  »  (i) 

d«C«r»  (ii) 

ettseqT »  (iii) 

Each  element  of  the  expression  B  x  T  in  (i)  has  the  form  (b,  i)  for  some  b  in  B  and  t  in  T, 
and  is  thus  made  from  a  finite  number  of  elements  of  T\  namely  one.  Each  element  of 
the  expression  C  -#»  T  in  (ii)  has  the  form 

{cl  **  tl,  c2  h>  t2, ... ,  ck  (-» tk} 

for  some  number  k  and  cl,  c2, ... ,  ck  in  C  and  tl ,  i2, ...  ,  tk  in  T.  Each  element  is  thus 
made  from  a  finite  number  of  elements  of  T;  in  this  case  k.  Finally,  each  element  of  the 
expression  seq  T  in  (iii)  has  the  form 


( tl ,  i2 . tn) 

for  some  number  n  and  tl,  t2,  ...  ,  tn  in  T.  Each  element  is  thus  made  from  a  finite 
number  of  elements  of  T;  in  this  case  n.  Also  the  "base  elements"  come  from  the  first 
two  arms  of  T.  The  free  type  T  therefore  exists. 

A 
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Example  26 
Consider  the  free  type 

T::=e|d«S» 

where  5  is  the  schema 


r  2  nr 

t:T 


with  A  a  given  set.  So  just  the  arm  d  «  S  »  of  T  contains  T.  If  the  following  notation  is 
used  to  denote  an  element  of  S 


which  states  that  the  strings  V  and  Y  are  bound  to  particular  values  of  A  and  T,  then 
each  element  of  S  is  made  from  exactly  one  element  of  T.  Also,  the  first  arm  of 
T  contains  the  "base  element"  c.  The  free  type  T  therefore  exists. 

A 

4.2  Recursive  functions 

Given  a  recursive  free  type  T  that  exists,  the  primitive  recursion  theorem  (PRT)  for  T 
can  be  used  to  see  if  a  recursive  function  /,  defined  over  T,  exists.  This  is  fully 
explained  in  section  3.  Basically,  the  PRT  is  used  to  try  and  produce  a  theorem 
stating  the  existence  of  /.  If  the  following  two  simple  rules  for  specifying/ arc  followed, 
then  the  attempt  to  produce  an  existence  theorem  is  more  likely  to  be  successful. 
First,  specify  /  on  each  arm  of  T  separately.  The  function  /  does  not  have  to  be  specified 
on  every  arm  of  T.  Secondly,  for  any  arm  d<i  E[T)  »  off  that  contains  T,  specify  f(d  x), 
where  x  is  an  element  of  £[7"],  by  primitive  recursion.  That  is,  specify  f(dx)  in  terms  of 
an  expression  involving  /  and  x.  The  following  examples  will  make  these  two  rules 
clear. 

Example  27 

The  natural  numbers  can  be  considered  as  a  free  type,  namely 

nat  ::=  0  |  sue  «  not » 


J. 
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|  Now  consider  the  factorial  function  /.  There  are  two  arms  in  the  free  type  definition  of 

nat,  namely  0  and  sue  *  nat »,  and  so  a  recursive  function  over  nat  could  be  specified 
on  each  arm  separately,  or  just  the  second  arm.  The  function  /  is  specified  on  each  arm 
as  below.  The  abbreviation  1  has  been  used  for  sue  0.  As  the  second  arm  of  nat  contains 
nat ,  then  (sue  n)!  is  specified  in  terms  of  n!. 


!  :  nat— »  nat 


0!  =  1 

V  n  :  nat  •  (sue  n)!  =  (sue  n)  x  n! 


A 

Example  28 

Consider  the  free  type 


T : :  =  c  «  L  »  |  d  «  M  x  T  »  |  e  «  T  x  N  » 


where  L,  M  and  N  are  given  sets.  Now  consider  the  function  /  as  specified  below.  The 
function  is  specified  on  just  the  first  two  arms,  but  separately.  Also,  as  the  second 
arm  of  T  contains  T,  then  f(d(m,t))  is  specified  in  terms  of  ft. 

I  f:T-*L 


Vl:L*f(cl)  =  l 
V  m:M;t :  T  •  f(d(m,t))  =  f  t 


A 


i 
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4.3  General  summary  and  conclusions 


One  method  of  proving  that  a  recursive  free  type  exists,  is  to  prove  the  finitary 
condition  for  that  free  type,  as  discussed  in  section  2.1.  This  section  describes  a 
strategy  for  proving  the  finitary  condition  From  this  strategy  it  can  be  seen  that  a 
recursive  free  type  will  exist  provided  that  each  arm  d  €  E[T] »  of  7  that  contains  T,  is 
such  that  every  element  of  £[7]  consists  of  a  finite  number  of  elements  of  7.  So  for 
example,  a  recursive  free  type  made  from  just  x,  F,  -#>  and  seq  will  exist  So  by  simply 
inspecting  a  free  type  definition  by  eye,  its  existence  can,  in  some  cases,  be 
asserted.  Some  examples  of  this  are  given  in  section  4.1.  In  other  cases,  the 
existence  of  the  free  type  will  not  be  so  obvious,  and  the  finitary  condition  will  have 
to  be  proved.  The  finitary  proof  obligation  can  be  automatically  produced.  It  is  not 
obvious  how  much  of  the  proof  can  be  automated,  but  following  the  strategy  in 
section  2.1  will  lead  to  a  proof.  From  the  strategy,  it  can  be  seen  that  if  the  free  type 
contains  only  x,  F,  -h»  and  seq,  then  most,  if  not  all  of  the  proof  (if  a  proof  was 
required),  could  be  automated.  Having  established  the  existence  of  the  free  type,  by 
proving  the  finitary  condition,  the  primitive  recursion  theorem  (PRT)  for  die  free 
type  can  then  be  asserted  as  an  axiom.  The  PRT  can  then  be  used  to  prove  that  a 
recursive  function  defined  over  the  free  type  exists,  as  discussed  in  section  3. 

Another  method  for  proving  that  a  recursive  free  type  exists  is  to  use  a  definitional 
extension,  as  discussed  in  section  2.2.  The  idea  here  is  to  construct  a  representation 
for  the  free  type.  The  particular  representation  discussed,  is  to  use  a  set  of  labelled 
trees  to  represent  the  free  type.  The  free  type  is  then  made  isomorphic  to  its 
representation.  The  PRT  for  this  free  type  can  then  be  proved  using  its 
representation.  The  PRT  can  then  be  used  to  prove  that  a  recursive  function  defined 
over  the  free  type  exists,  just  as  before.  It  is  not  obvious  whether  the  construction  of 
the  representation  can  be  automated.  Also,  the  representation  itself  could  get  a  bit 
complicated.  For  example,  what  representation  should  be  used  for  7  ::=  c  «  F  F  7  »? 
Also  it  is  not  obvious  how  much  of  the  proof  of  the  PRT  using  the  representation  can 
be  automated.  Certainly  the  construction  of  the  representation,  and  proof  of  the  PRT 
for  a  free  type  definition,  7,  consisting  only  of  existing  types,  x  and  simple  occurrences 
of  7,  for  example 


7  :.=  c  «  A  x  7  »  |  d<L  B  x  7  x  7  » 

where  A  and  B  are  given  sets,  can  be  fully  automated.  The  automation  of  such  free 
types  would  be  analagous  to  the  automation  in  Melham's  type  definition  package  [2]  in 
HOL. 

The  process  of  trying  to  obtain  an  existence  theorem  for  a  recursive  function  /  from  a 
PRT  for  a  free  type  7,  is  more  likely  to  succeed  if  the  two  simple  rules  described  in 
section  4.2  are  followed.  The  first  rule  is  that  /  should  be  defined  on  each  arm  of  7 
separately,  but  /  does  not  have  to  be  defined  on  every  arm  of  7.  The  second  rule  is  that 
for  any  arm  d  «  £[71 »  of  7  that  contains  7,  specify  f(d x),  where  x  is  an  element  of  E[T], 
by  primitive  recursion.  That  is,  specify  f(dx)  in  terms  of  an  expression  involving/and  x. 
The  examples  in  section  4.2  clarify  these  two  rules. 
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Annex 


This  annex  shows  how  Melham's  definejype  function  in  HOL  (version  1.11)  defines 
the  following  free  type 


T::=c€A*\d*BxTxT1> 

where  A  and  B  are  given  sets,  by  definitional  extension.  The  annex  shows  how  the 
representation  of  the  free  type,  as  a  set  of  labelled  trees,  is  performed  (part  1), 
together  with  the  proof  of  the  primitive  recursion  theorem  (PRT)  for  the  free  type 
(pan  2).  This  annex  is  equivalent  to  one  call  of  definejype  for  T.  The  HOL  commands 
are  in  italics,  but  the  HOL  syntax  has  not  been  fully  adhered  to.  The  syntax  that 
definejype  expects  means  that  T  would  actually  have  to  be  input  as 

T=  cA \dBTT 

which  means  that  the  constructor  d  will  have  type  B  ->  T  -»  T  -*  T,  rather  than 
(B  x  T  x  T)  — *  T  as  in  the  Z.  Also,  it  is  assumed  that  A  and  B  already  exist  before 
define  jype  is  called.  This  can  be  achieved  by  the  two  commands 

new  type  0  'A';; 
newjype  0  'B';; 


1.  Defining  the  free  type  T 

The  function  define  type  first  defines  a  predicate  IS  TJtEP  below,  which  is  true  only 
of  those  labelled  trees  which  represent  elements  of  T.  The  predicate  IS_T_REP  will 
characterise  the  subset  of  (A  +  Bjltree  which  is  to  represent  the  free  type  T.  For  any  type 
*,  (*)ltree  is  the  type  of  trees,  of  any  shape,  labelled  with  elements  of  *.  The  type 
A  +  B  is  the  labelled  disjoint  union  of  A  and  B.  HOL  contains  the  built-in  functions 
INL  and  INR  to  form  elements  of  A  +  B  from  elements  of  A  and  B  respectively.  The 
tree  with  top  node  labelled  with  v  and  list  of  subtrees  tl  is  written  in  HOL  as  Node  v  tl. 
The  type  of  labelled  trees  has  itself  been  defined  using  a  definitional  extension  in 
HOL.  The  function  LENGTH  gives  the  length  of  a  list. 

let  I  ST  REP  -  new  definitionf'IS  T  REP’, 

"ISJT  REP  (tree  :  (A  +  B)ltree)  = 

TRP 

(kv  :  (A  +  B) 
tl :  ((A  +  B)ltree)list  • 

(3  a :  A  •  v  =  INL  a)  a  (LENGTH  tl  =  0) 
v(3  6.B»v  =  INR  b)  a  (LENGTH  tl  =  2) 

) 

tree”);; 

The  function  TRP  in  ISJT  REP  is  now  explained.  In  IS_T_REP,  the  basic  predicate 
which  defines  those  trees  which  are  representations  is 
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(3  a  :  A  •  v  =  INL  a)  a  (LENGTH  tl  =  0)  (21) 

v  (3  b  :B  •  v  =  INR  b)  a  (LENGTH  tl  =  2) 

But  unfortunately,  this  is  not  quite  good  enough,  since  for  example,  the  tree 

INR  b 

• 

A 

/  \ 

/  \ 

/  \ 

/  \ 

/  \ 

•  • 

INR  b  INR  b 

satisfies  (21).  But  the  above  tree  does  not  represent  any  element  of  the  free  type  T.  The 
trouble  is,  predicate  (21)  only  states  what  form  the  top  node  should  have  and  the 
number  of  subtrees  from  the  top  node.  Predicate  (21)  says  nothing  about  the  form  of  the 
subtrees.  To  rule  out  such  trees  as  above,  the  function  TRP  is  required,  which  basically 
makes  sure  that  predicate  (21)  is  obeyed  all  the  way  down  the  tree.  The  function  TRP  is 
defined  in  HOL  as  follows 

TRP  IV  P  v  it  •  TRP  P  ( Node  v  tl)  =  (P  v  tl)  a  (EVERY  (TRP  P)  tl) 

where  the  function  EVERY  is  defined  as 

EVERY _DEF  KV/». EVERY P[)  =  T)  a 

(V  Phf  EVERY  P  (CONS  h  t)  =  (P  h)  a  (EVERY  P  t) 

The  function  CONS  adds  an  element  to  the  front  of  a  list.  The  names  TRP  and 
EVERY  DEF  that  appear  to  the  left  of  the  two  turnstiles,  h  above,  are  simply  the  names 
of  the  definitions,  so  that  they  can  be  used  in  theorem  proving.  For  example,  it  must 
be  shown  that  IS_TJREP  characterises  a  non-empty  subset  of  (A  +  B)ltree,  that  is  the 
following  goal  must  be  proved. 

3  tree  :  (A  +  B)ltree  •  IS_T_REP  tree 

An  existential  witness  that  can  be  used  for  this  goal  is  the  tree 

INL  a 


for  some  a  in  A.  This  tree  is  written  in  HOL  as  Node  (INL  a)  [].  The  tactic  which 
proves  the  goal  is 
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EXISTSJTAC  "Node  (INL  a)  Q  ;  (A  +  B)ltree"  THEN 
REWRITE  TAC  [IS_T  REP;  TRP;  EVERY _DEF]  THEN 
BET  AT  AC  THEN 
REWRITE  TAC  [LENGTH] 

where  LENGTH  is  the  definition 

LENGTH  Y  ( LENGTH  0  =  0)  a 

(V  ht.  LENGTH  (CONS  ht)  =  SUC  ( LENGTH  t)) 

The  function  SUC  is  the  successor  function;  it  adds  1  to  its  argument  Let  NONJEMPTY 
denote  the  existence  theorem  just  proved. 

NON_EMPTY  Y  3  tree. IST_REP tree 

The  free  type  T  is  made  isomorphic  to  its  representation,  that  is  the  subset  of 
(A  +  B)ltree  characterised  by  ISJTREP.  Notice  that  this  step  requires  the  theorem 
just  proved. 

let  TISO  =  new_type_definition('T,  "IS_T_REP  :  (A  +  B)ltree  — >  bool",  NON_EMPTY);; 

Next,  the  names  KEP  T  and  ABSJT  are  given  to  the  isomorphisms.  Thus  REPJT  has 
type  T  — *  (A  +  B)ltree  and  ABSJT  has  type  (A  +  B)ltree  — >  T. 

define_new  type_isomorphisms( EXPANDJTY  DEF  TJSO) 

The  function  EXPAND JY  DEF  above,  is  built  in  to  HOL.  This  step  also  produces 
some  theorems  involving  REPJT  and  ABSJT  which  are  needed  in  step  2  (proving  the 
PRT),  for  example 


Y  V  a  •  ABS_T(REP_T  a)  =  a 
Y  V  r  •  ISJTJtEP  r  =  (REP_T(ABS_T  r)  =  r) 

Finally,  the  constructors  c  and  d  of  T  are  defined. 

new  definitionCcJDEF’,  "c  a  =  ABS  TfNode  (INL  a)  Q/V;; 

new_definition(  'd_DEF',  "d  b  t}  t2  =  ABSJT  (Node  (INR  b)  [REPT  REPT  t2])");; 


which  state  what  the  tree  representations  of  c  a  and  dbtjt2  are. 


2.  Proving  the  primitive  recursion  theorem 

The  following  theorem  has  been  proved  in  HOL 

TYDEFTHM  h  V  P  ABS  REP  • 
antecedents  => 

V/. 

3  ;/«• 

V  vtl* 

P  v  (MAP  REP  tl)  =S> 

fn(ABS(Node  v  (MAP  REP  tl)))  =f(MAP  fn  tl)  v  tl 

This  is  a  general  theorem  which  define _type  uses  to  obtain  the  PRT  for  T.  It  can  be  used 
to  obtain  the  PRT  for  any  free  type  defined  in  terms  of  labelled  trees;  it  simply  has 
to  be  instantiated  for  T,  and  then  simplified.  The  antecedents  in  the  above  theorem  are 
theorems  obtained  from  part  1;  and  can  thus  soon  be  removed  by  modus  ponens.  So 
define  Jype  instantiates  TY_DEF_THM  for  T  and  then  specializes  P  to  be  predicate  (21) 
(see  part  1),  ABS  to  be  ABS_T  and  REP  to  be  REPT.  After  modus  ponens  with  the 
antecedents  this  produces  the  new  theorem 

hV/* 

3  ,fn* 

V  v  //  • 

(3  a  •  v  =  INL  a)  a  (LENGTH (MAP  REP  T  tl)  =  0) 
v  (3  b  •  v  =  INR  b)  a  (LENGTH(MAP  REP  T  tl)  =  2) 

fn( ABS _T ( Node  v (MAP REP  T tl)))  =  f(MAP fn  tl)  v  tl 

Already  it  can  be  seen  that  this  theorem  has  the  basic  shape  of  a  PRT.  By  certain 
simplifications  of  the  theorem,  the  details  of  which  are  given  in  [2],  the  PRT 

3  ;/«« 

V  a  *fn(c  a)-f1a 

a  V  btj  t2  •fnfd  b  t}  t2)  =f2  (fn  t})  (fn  t2)  b  tj  t2 


is  obtained 
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